Communicable Disease Reporting and HIPAA

This memo addresses the Minnesota Department of Health (MDH’s)
analysis of the following two issues related to the Health Insurance Portability
and Accountability Act (HIPAA) and communicable disease reporting:

Disclaimer of Legal Advice: The following
is MDH’s analysis of how the Minnesota Communicable Disease Reporting
Rule, Parts 4506.7000 to 4605.7900 , and Minnesota Statutes,
§144.05, subd. 1(a) interact with the Health Insurance Portability and
Accountability Act (HIPAA), privacy rules, 45 CFR 160 and 164. This is
not legal advice and you should not rely on it as legal advice. Consult
with a lawyer for legal advice.

Issue

The following question has been raised by some providers, their medical
records departments, and their staff: Does HIPAA permit disclosure
of specific patient medical information related to a communicable disease
to MDH or other local public health authorities without patient authorization?

Finding

MDH has concluded that HIPAA permits a provider and/or the provider’s
medical records department or staff to release a patient’s medical
information pertaining to a communicable disease in accordance with the
Minnesota Communicable Disease Reporting Rule and M.S.§144.05, subd. 1(a)
without the patient’s authorization. This conclusion is based on
review of HIPAA privacy rules and guidance from the U.S. Centers for Disease
Control and Prevention (CDC) and U.S. Department of Health and Human Services
(DHHS). [2]

The medical information being released must be related to a communicable
disease report. This may include, but is not limited to, personally identifiable
information on the patient and their contacts, the tests conducted, the
results of those tests, treatments related to the disease, and other pertinent
information.

Analysis

HIPAA governs the use and disclosure of protected health information
(PHI). It applies to health plans, health care clearinghouses, and health
care providers who transmit certain health claims information electronically.
These entities are covered entities under the rule.

A covered entity must obtain a written authorization from the individual,
for the use and disclosure of PHI unless the disclosure is to the
individual for treatment, payment, or health care operations, or the
disclosure falls under one of the specified exceptions.

HIPAA privacy rules, specifically 45 CFR [3] §164.512, addresses the uses and disclosures
of PHI for which an authorization or an opportunity to agree or object
is not required. Specifically:

Section 164.512(a) permits disclosures that are required by law, including
statutes and rules; [4]
and

Section 164.512(b) permits a covered entity to disclose PHI to:

"(i) A public health authority that is authorized by law to
collect or receive such information for the purpose of preventing
or controlling disease, injury, or disability, including but not limited
to, the reporting of disease, injury, vital events such as birth or death,
and the conduct of public health surveillance, public health investigations,
and public health interventions; . ..”

Under HIPAA, 45 CFR 164.501, public health authority is defined
as “an agency or authority of …, a State, . . ., or a political
subdivision of a State ..., that is responsible for public health
matters as part of its official mandate.”

Therefore, to the extent that a public health authority is authorized
by law to collect or receive information for public health purposes, covered
entities may disclose PHI to such public health authority without the
patient’s authorization.

Analysis Summary

In summary, M.S. §144.05, subd. 1(a) and the Minnesota Communicable Disease
Reporting Rules, Parts 4506.7000 to 4605.7900 allow MDH and local public
health authorities to conduct studies and investigations on communicable
diseases, such as hepatitis B, E.coli O157:H7, and STDs, to protect
the public’s health. Therefore, providers, their medical records
departments, and their staff can share medical information pertaining
to a communicable disease investigation or study without patient authorization.

2. Logging Public Health Disclosures Under HIPAA

Disclaimer of Legal Advice: The following is MDH’s
analysis of how a provider may account for public health disclosures to
public health entities as allowed the Minnesota Communicable Disease Reporting
Rule and Minnesota Statutes, §144.05, subd. 1(a)and still
be in compliance with the Health Insurance Portability and Accountability
Act (HIPAA), privacy rules, 45 CFR 160 and 164. This is not legal advice
and you should not rely on it as legal advice. Consult with a lawyer for
legal advice.

Issue

The following concern has been raised by some providers: Does a provider
or its medical records department have to keep a disclosure log when they
release specific patient medical information related to a communicable
disease investigation to MDH or other local public health entities without
the patient’s authorization?

Finding

MDH has concluded that HIPAA permits a provider to account for these
disclosures in a general, not patient specific manner in instances of
an ongoing, regular reporting or inspection requirement. For example,
when disclosing individual protected health information (PHI) to a public
health entity as part of a communicable disease investigation, a provider
may keep a general log of disclosure rather than noting them in the individual
patient records (see example at end of memo). This finding is based on
review of HIPAA privacy rules and guidance from the Centers for Disease
Control and Prevention (CDC) and the U.S. Department of Health and Human
Services (DHHS).

Analysis

As discussed previously, HIPAA permits a provider and/or the provider’s
medical records department or staff to release a patient’s medical
information pertaining to a communicable disease in accordance with the
Minnesota Communicable Disease Reporting Rule and M.S. §144.05, subd. 1(a)
without the patient’s authorization. At the same time, however,
HIPAA requires that a covered entity, such as a provider, account for
each disclosure of PHI to a public health authority without the patient’s
authorization. Specifically, the provider must maintain a disclosure log
each time they disclose PHI without the patient’s authorization
(45 CFR 164.528).

The required accounting of disclosures may be accomplished in different
ways. Typically, the covered entity must keep an accounting of each disclosure
by date, the information disclosed, the identity of the recipient, and
the purpose of the disclosure. However, 5 CFR 164.528(b)(3) does not require
this type of log when a provider makes multiple disclosures for the same
purpose. According to the CDC and DHHS,

“Where the covered entity has, during the accounting period, made multiple
disclosures to the same recipient for the same purpose, the Privacy
Rule provides for a simplified means of accounting. In such cases, the
covered entity need only identify the recipient of such repetitive disclosures,
the purpose of the disclosure, and describe the PHI routinely disclosed.
The date of each disclosure need not be tracked.

Rather, the accounting may include the date of the first and last such
disclosure during the accounting period, and a description of the frequency
or periodicity of such disclosures. For example, the vast amount of
data exchanged between covered entities and public health authorities
is made through ongoing, regular reporting or inspection requirement.”
[5]

The following is an example of this type of disclosure.

A health-care provider covered by HIPAA routinely reports all cases
of hepatitis B or E. coli O157:H7 it diagnoses to MDH. In this
instance, the provider (covered entity) does not need to annotate each
patient’s medical record when these routine public health disclosures
are made. Instead, the provider only needs to keep a general
log of the following:

Based on the above analysis, MDH concludes that covered entities,
such as health care providers, may maintain a general, not patient specific
disclosure log for purposes of ongoing, regular reporting or inspection
requirements.